Posted by Carl Shuller on October 20, 2010 at 10:31pm
Hi,
I maintain the TUS website and wanted to get some thoughts from this group. When you type something like 'transition movement' into a search engine you will see an ad for xanax under the link to our website. Here is my path to resolve and was hoping to get your feedback ...
1) Search all core files for embedded text and delete (in process)
2) If this does not work then restore from backup (database and files)
3) Do an upgrade of core and all modules
4) Request Google to rescan our site
Has this kind of thing happened to any one on this list before?
Thanks in advance for your thoughts,
Carl
Comments
update #1
I did a search of all files on the webserver and there are no files with the word "xanax" in them. So this begs the question, where is this text reside if not in the files. I forgot to mention in my initial post that I also searched the database for the term and it does not exist.
Baffling
Hi, Carl. If you've checked all the regular spots the next step is to dump the database, open the file in a text editor and search for "xanax." That should show you where it's lurking! Let me know if you need help doing this.
Andre Angelantoni
Founder, PostPeakLiving.com
Thanks Andre. I did this and
Thanks Andre. I did this and "xanax" wasn't any where to be found.
Google's cache
I've been having the same problem with a client's site: http://www.google.com/search?q=foxtalesint
The word "cialis" is nowhere in the page source, and yet it has wound up in Google's index somehow. Funny thing is, I think Google knows it, because if you look carefully at the search results you'll notice that there are no "Cached" links to click on the corrupted listings, only on the correct ones. So evidently Google has already purged their cache of the corrupted listings but has not yet purged the index.
In any case there's not much we can do except resubmit the site for indexing and hope they get to it soon. Good luck!
Update
Thanks Ben. You may want to run 'Fetch As Googlebot' (http://www.googlelabs.com/show_details?app_key=agtnbGFiczIwLXd3d3IUCxIMT...) as this will show you what the search engine actual sees. In our case the spam is being placed in the via the index.php file. A very long piece of code starting with "@preg_replace("\x40\50\x...." was inserted. I deleted this code and reran 'Fetch as Googlebot' and the problem went away (or so I thought). I checked again this morning and sure enough the index.php file had been modified again.
So the next question is how is the file getting changed?
A) Local malware is capturing my ftp pw and accessing index.php
B) Security hole in module and/or core Drupal code
C) Some server-side exploitation
I cleaned my computer using AVG + Spybot and then changed ftp pw. I realize this may not be enough to rule out this possibility but not sure what else to do. I am in the process of updating modules and core but this is undaunting and I am taking it very slow. Our host claims that they have scanned the server and it is clean.
I am sharing this in hopes that 1) someone might have a silver bullet and 2) to let you know that the logical step of scanning files and db are not enough to ensure that you haven't been compromised.
Best,
Carl
FTP most likely
Hi Carl, I would suggest that a FTP breach was the most likely route.
One of mysites on my host got hacked a while back with a similar php insert and they tried to blame my PC and a virus until I said I use Ubuntu... I reckon it was a breach at their end but have no proof.
You've done/are doing all the right things but it might be an idea to ask your host for SFTP access as added security - Ftp is notoriously insecure. Are you on shared hosting or a VPS? Again, the former is much less secure.
Transition as movement is likely to attract some unwelcome attention in the forthcoming years, security is going to be a big deal.
Good luck!
Jim
FTP most likely
(Grrrr... stupid double posting phone... grumble grumble)
Thanks Jim
Here is what our host said via email earlier today ...
"Besides regular FTP, we also support FTP over SSL. The secure server
name is secure5.gaiahost.coop
However, if this is a malware application running on your computer, it
may be reading the stored passwords directly, or sniffing them through
your FTP connection. The SSL layer will only encrypt the data connection
between your computer and ours, so it may not be enough to protect you
from malware that's running on your computer."
What do y'all use to move files?
Depends
Depending on the situation, I might ssh into a box (i.e. get in via the command line) and use rsync and scp.
However, when I can use FTP I often do because I like my FTP client so much :-). I'm on a Mac and my favorite FTP program is Yummy FTP, which handles all forms of tranfer.
If you don't want to get into the command line, get a client like Yummy and do FTPS/FTP over SSL (different way to say the same thing).
Here is an article that helps distinguish your options:
http://www.rebex.net/kb/secure-ftp.aspx
Andre Angelantoni
Founder, PostPeakLiving.com
FTP client
I'm a fan of cyberduck - on a mac...
Filezilla
http://filezilla-project.org/
Open source, cross platform, supports everything...
I also use Filezilla. From
I also use Filezilla. From what I am hearing it really isn't a function of the software. It doesn't sound like passwords can be secured when using FTP. Unfortunately that is all my host (gaiahost.coop) supports.
I thought I had isolated the issue after changing (stripping the spam code) the index.php and then changing the FTP password. But after about 36 hours a new file showed up in the root directory (crona.php). I posted more details on the Drupal forums (http://drupal.org/node/950840). I am not sure how to describe it other than the crona.php is taking over the roll of index.php ... if I delete crona.php the site is not accessible. I stripped the spam code from crona.php and am waiting to see if I can catch something in the log files if/when it gets modified again. In the mean time I am not opening my FTP client (perhaps naively thinking that if I don't open the ftp client then the pw can't be compromised). I have swept all computers (AVG + Spybot) and they are supposedly clean. Not sure what else I can do at this point.
I am in the process of bringing Drupal Core and modules up to date. We are currently on 6.09! If anyone is interested in assisting and/or showing me how to best tackle the update process please don't hesitate to reach out.
Thanks again for everyone's input to date.
Best,
Carl
this may help you...
I just found out about the supercron module today at Drupalcamp Montreal
http://drupal.org/project/supercron
Apparently, you can tell Drupal which IP address you authorize to run cron.php...